By Cluster25 Threat Intel Team
March 16, 2023



We are proud to announce that Cluster25 has joined the VirusTotal community, improving its website/domain scanning engine.

VirusTotal was founded in 2004 as a free service that analyzes files and URLs for viruses, worms, trojans, and other kinds of malicious content. It inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in addition to a myriad of tools to extract signals from the studied content. VirusTotal was acquired by Google in 2012 and, in 2018, the ownership switched to Chronicle, a subsidiary of Alphabet.

Starting in March 2023, part of the Cluster25 intelligence will be shared with the VirusTotal community, allowing users to get insights about suspicious or malicious IP addresses, domains, and URLs.


Users can submit suspicious IPs, domains, or URLs using the specific VirusTotal page and find the Cluster25 verdict.

Here we display an example in which the result is "malicious":

The finding may be one of the following:

  • Malicious: the submitted entry is related to a malware campaign or involved in observed malicious activities;
  • Phishing: the submitted entry is related to observed phishing campaigns;
  • Spam: the submitted entry is involved in massive spam campaigns;
  • Suspicious: the submitted entry is related to some sort of suspicious activity but the attribution is unknown;
  • Clean: the dataset shared with VirusTotal does not contain the submitted entry.

Since only a portion of the intelligence from Cluster25 is shared with the VirusTotal community, many of the entries resulting in a "Clean" rating may only be available on the paid version of the C25 Platform.

For some entries, we also shared with VirusTotal specific information about the attribution or the usage under the section Crowdsourced Context.

For example, an IP address may be used as command-and-control for a QakBot campaign as shown in the following image: 

Enjoy our public Intelligence!